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of SPU software/firmware. Such permanent portions may "Kernel" programs and/or some or all of the non-kernel 

include, for example, code that interfaces to hardware ele- "load modules" may be stored by SPU 500 in memory 

ments such as the RTC 528, encryption/decryption engine external to it. Since a secure database 610 may be relatively 

522, interrupt handlers, key generators, etc. Some of the large, SPU 500 can store some or all of secure database 610 

operating system, library calls, libraries, and many of the 5 in external memory and call portions into the SPU 500 as 

core services provided by SPU 500 may also be in masked needed. 

ROM 532a. In addition/some of the more commonly used As mentioned above, memory external to SPU 500 may 
" , ' not be secure. Therefore, when security is required, SPU 500 
executables are also good candidates for uf*°™ ™sked information before writing it to external 
ROM 532a Items that need to be updated or that need to m J n P d de t ^ information rea d from external 
disappear when power is removed from SPU 500 should not 10 memory before ^ jt Inasmuch ^ the encryption layer 
be stored in masked ROM 532a. re j ies on processes and information (e.g., encryption 
Under some circumstances, RAM 534a and/or NVRAM a ig 0r i t hms and keys) present within SPU 500, the encryp- 
534b (NVRAM 534b may, for example, be constantly tion layer effectively "extends" the SPU security barrier 502 
powered conventional RAM) may perform at least part of (0 protect information the SPU 500 stores in memory 
the role of ROM 532. 15 externa i to it. 
SPU Internal RAM SPU 500 can use a wide variety of different types of 
SPU 500 general purpose RAM 534 provides, among externa i mem ory. For example, external memory may corn- 
other things, secure execution space for secure processes. In prise e i ectron i c appliance secondary storage 652 such as a 
the preferred embodiment, RAM 534 is comprised of dif- djsk; externa i EEPROM or flash memory 658; and/or exter- 
ferent types of RAM such as a combination of high-speed 20 na] 6s6 External RAM 656 may comprise an external 
RAM 534a and an NVRAM ("non-volatile RAM") 534b. nonvolatile (e.g. constantly powered) RAM and/or cache 
RAM 534a may be volatile, while NVRAM 534b is pref- 

erably battery backed or otherwise arranged so as to be Using extemal ram loca i t0 S pjj 500 can significantly 

non-volatile (i.e., it does not lose its contents when power is improve access times to information stored externaUy to an 

turned off). 25 spl j p or examp le ( external RAM may be used: 

High-speed RAM 534a stores active code to be executed (o buffer memory pages an(J daU structures prior t0 

and associated data structures. their sto m flash memory or on an external hard 

NVRAM 534b preferably contains certain keys and sum- ^ (assuming transfer t0 flash or hard disk can 0CC ur 

mary values that are preloaded as part of an mUiahzation m significant po We r or system failure cases); 

process in which SPU 500 communicates with a VDE 30 M( f Uon and d tion buffers for data bcing 

administrator, and may also store changeable or changing ^ yDE & 30Q 

information associated with the operation of SPU 500. For structures cu 

security reasons, certain highly sensitive information (e.g., a v . ... , 

sK-iaiij ivoau , e j v a< j aspect of providing a secure virtual 

certain load modules and certain encryption key related usc ** a . 1 £ *» 

information such as internally generated private keys) needs 35 memor y environment for SPU 500. 

to be loaded into or generated internally by SPU 500 from to cache other information in order to for example, 

time to time but, once loaded or generated internally, should ^duce frequency of access by an SPU to secondary 

never leave the SPU. In this preferred embodiment, the SPU storage 652 and/or for other reasons 

500 non-volatile random access memory (NVRAM) 534b ported external RAM can be particularly effective in 

may be used for securely storing such highly sensitive 40 improving SPU 500 performance since it can decrease the 

information. NVRAM 534b is also used by SPU 500 to store data movement overhead of the SPU bus interface unit 530 

data that may change frequently but which preferably should and SPU microprocessor 520. 

not be lost in a power down or power fail mode. Using external flash memory local to SPU 500 can be 
NVRAM 534b is preferably a flash memory array, but used to significantly improve access times to virtually all 
may in addition or alternatively be electrically erasable 45 data structures. Since most available flash storage devices 
programmable read only memory (EEPROM), static RAM have limited write lifetimes, flash storage needs to take into 
(SRAM), bubble memory, three dimensional holographic or account the number of writes that will occur during the 
other electro-optical memory, or the like, or any other lifetime of the flash memory. Hence, flash storage of ^re- 
writable (e.g., randomly accessible) non-volatile memory of quently written temporary items is not recommended. If 
sufficient speed and cost-effectiveness. so external RAM is non-volatile, then transfer to flash (or hard 
SPU External Memory d^my notbenecessary^ 

The SPU 500 can store certain information on memory External memory used by SPU 500 may include two 

devices external to the SPU. If available, electronic appli- categories: 

ance 600 memory can also be used to support ar© device external memory dedicated to SPU 500, and 

external portions of SPU 500 software. Certain advantages 55 memory shared with electronic appliance 600. 

may be gained by allowing the SPU 500 to use external For some VDE implementations, sharing memory (e.g., 

memory. As one example, memory internal to SPU 500 may electronic appliance RAM 656, ROM 658 and/or secondary 

be reduced in size by using non-volatile read/write memory storage 652) with CPU 654 or other elements of an elec- 

in the host electronic appliance 600 such as a non-volatile tronic appliance 600 may be the most cost effective way to 
portion of RAM 656 and/or ROM 658. 60 store VDE secure database management files 610 and infor- 

Such external memory may be used to store SPU mation that needs to be stored external to SPU 500. A host 

programs, data and/or other information. For example, a system hard disk secondary memory 652 used for general 

VDE control program may be, at least in part, loaded into the purpose file storage can, for example, also be used to store 

memory and communicated to and decrypted within SPU VDE management files 610. SPU 500 may be given exclu- 
500 prior to execution. Such control programs may be 65 sive access to the external memory (e.g., over a local bus 

re-encrypted and communicated back to external memory high speed connection provided by BIU 530). Both dedi- 

where they may be stored for later execution by SPU 500. cated and shared external memory may be provided. 
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values of any convenient length, including as small as a SPU Memory Architecture 

single bit per use. A random number of arbitrary size may be In the preferred embedment, SPU 500 uses three general 

constructed by concatenating values produced by random kinds of memory: 

number generator 542. A cryptographically strong pseudo- (1) internal ROM 532; 

random sequence may be generated from a random key and 5 (2) internal RAM 534; and 

seed generated with random number generator 542 and (3) external memory (typically RAM and/or disk supplied 

repeated encryption either with the encrypt/decrypt engine by a host electronic appliance). 

522 or cryptographic algorithms in SPU 500. Such The internal ROM 532 and RAM 534 within SPU 500 

sequences may be used, for example, in private headers to provide a secure operating environment and execution 

Sate effort to determine an encryption key through 10 space Because of cost limitations, chip fa .ncaUor, , size 

immune cixuiu. ,f o complexity and other limitations, it may not be possible to 

cryptoanalysis-, , , ... provide sufficient memory within SPU 500 to store all 

Arithmetic Accelerator 544 information that an SPU needs to process in a secure 

An optional anthmetic accelerator 544 may be provided ^ (o ^ ^ Qn ^ amount of RQM 

within an SPU 500 in the form of hardware circuitry that can ^ ^ gu ^ ^ ^ within spu m 

rapidly perform mathematical calculations such as multipli- 15 gpu 5Q0 may gtore ^formation in memory external to it, 

cation and exponentiation involving large numbers. These and mQVe (his ij,f onnat i on i nt0 and out of its secure internal 

calculations can, for example, be requested by microproces- mernory spa ce on an as needed basis. In these cases, secure 

sor 520 or encrypt/decrypt engine 522, to assist in the processing steps performed by an SPU typically must be 

computations required for certain asymmetric encryption/ segmented into small, securely packaged elements that may 

decryption operations. Such arithmetic accelerators are well- 20 ^ e «p a g e( j m » an d "paged out" of the limited available 

known to those skilled in the art. In some implementations, internal memory space. Memory external to an SPU 500 

a separate arithmetic accelerator 544 may be omitted and may not be secure. Since the external memory may not be 

any necessary calculations may be performed by micropro- secure, SPU 500 may encrypt and cryptographically seal 

cessor 520 under software control. code and other information before storing it in external 

DMA Controller 526 25 memory. Similarly, SPU 500 must typically decrypt code 

DMA controller 526 controls information transfers over and other information obtained from external memory in 

address/data bus 536 without requiring microprocessor 520 encrypted form before processing (e.g., executing) based on 

to process each individual data transfer. Typically, micro- it. In the preferred embodiment, there are two general 

processor 520 may write to DMA controller 526 target and approaches used to address potential memory limitations in 

destination addresses and the number of bytes to transfer, 30 a SPU 500. In the first case, the small, securely packaged 

and DMA controller 526 may then automatically transfer a elements represent information contained in secure database 

block of data between components of SPU 500 (e.g., from 610. In the second case, such elements may represent 

ROM 532 to RAM 534, between encrypt/decrypt engine 522 protected (e.g., encrypted) virtual memory pages. Although 

and RAM 534, between bus interface unit 530 and RAM virtual memory pages may correspond to information ele- 

534, etc.). DMA controller 526 may have multiple channels 35 ments stored in secure database 610, this is not required in 

to handle multiple transfers simultaneously. In some this example of a SPU memory architecture, 

implementations, a separate DMA controller 526 may be The following is a more detailed discussion of each of 

omitted, and any necessary data movements may be per- these three SPU memory resources, 

formed by microprocessor 520 under software control. SPU Internal ROM 

Bus Interface Unit (B1U) 530 40 SPU 500 read only memory (ROM) 532 or comparable 
Bus interface unit (BIU) 530 communicates information purpose device provides secure internal non-volatile storage 
between SPU 500 and the outside world across the security for certain programs and other information. For example, 
barrier 502 BIU 530 shown in FIG. 9 plus appropriate driver ROM 532 may store "kernel" programs such as SPU control 
software may comprise the "appliance link" 510 shown in firmware 508 and, if desired, encryption key information 
FIG 6. Bus interface unit 530 may be modelled after a 45 and certain fundamental "load modules." The kernel 
USART or PCI bus interface in the preferred embodiment. programs, load module information, and encryption key 
In this example BIU 530 connects SPU 500 to electronic information enable the control of certain basic functions of 
appliance system bus 653 shown in FIG. 8. BIU 530 is the SPU 500. Those components that are at least in part 
designed to prevent unauthorized access to internal compo- dependent on device configuration (e.g., TOST memory 
nents within SPU 500 and their contents. It does this by only 50 allocation, and a dispatcher) may be loaded in ROM 532 
allowing signals associated with an SPU 500 to be processed along with additional load modules that have been deter- 
by control programs running on microprocessor 520 and not mined to be required for specific installations or apphca- 
suoportine direct access to the internal elements of an SPU lions. 

50 q 6 In the preferred embodiment, 532 may comprise a 

Memory Management Unit 540 55 combination of a masked ROM 532a and an EEPROM 

Memory Management Unit (MMU) 540, if present, pro- and/or equivalent "flash' memory 532*>. EEPROM or flash 

vides hardware support for memory management and virtual memory 532b is used to store items that need to be updated 

memory management functions. It may also provide height- and/or initialized, such as for example, certain encryption 

ened security by enforcing hardware compartmentalization keys. An additional benefit of providing EEPROM and/or 

of the secure execution space (e.g., to prevent a less trusted 60 flash memory 5326 is the ability to optimize any load 

task from modifying a more trusted task). More details are modules and library functions persistently stored within 

provided below in connection with a discussion of the SPU 500 based on typical usage at a specific site Although 

architecture of a Secure Processing Environment ("SPE") these items could also be stored in NVRAM 534b, 

503 supported by SPU 500. ' EEPROM and/or flash memory 5326 may be more cost 

MMU 540 may also provide hardware-level support func- 65 effective, 

tions related to memory management such as, for example, Masked ROM 532a may cost less than flash and/or 

address mapping. " EEPROM 532fc, and can be used to store^permanent portions 
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power supply as the only power source for RTC 528 may 
significantly reduce the usefulness of time based security 
techniques unless, at minimum, SPU 500 recognizes any 
interruption (or any material interruption) of the supply of 
external power, records such interruption, and responds as 
may be appropriate such as disabling the ability of the SPU 
500 to perform certain or all VDE processes. Recognizing a 
power interruption may, for example, be accomplished by 
employing a circuit which is activated by power failure. The 
power failure sensing circuit may power another circuit that 
includes associated logic for recording one or more power 
fail events. Capacitor discharge circuitry may provide the 
necessary temporary power to operate this logic. In addition 
or alternatively, SPU 500 may from time to time compare an 
output of RTC 528 to a clock output of a host electronic 
appliance 600, if available. In the event a discrepancy is 
detected, SPU 500 may respond as appropriate, including 
recording the discrepancy and/or disabling at least some 
portion of processes performed by SPU 500 under at least 
some circumstances 

If a power failure and/or RTC 528 discrepancy and/or 
other event indicates the possibility of tampering, SPU 500 
may automatically destroy, or render inaccessible without 
privileged intervention, one or more portions of sensitive 
information it stores, such as execution related information 
and/or encryption key related information. To provide fur- 
ther SPU operation, such destroyed information would have 
to be replaced by a VDE clearinghouse, administrator and/or 
distributor, as may be appropriate. This may be achieved by 
remotely downloading update and/or replacement data and/ 
or code. In the event of a disabling and/or destruction of 
processes and/or information as described above, the elec- 
tronic appliance 600 may require a secure VDE communi- 
cation with an administrator, clearinghouse, and/or distribu- 
tor as appropriate in order to reinitialize the RTC 528. Some 
or all secure SPU 500 processes may not operate until then. 

It may be desirable to provide a mechanism for setting 
and/or synchronizing RTC 528. In the preferred 
embodiment, when communication occurs between VDE 
electronic appliance 600 and another VDE appliance, an 
output of RTC 528 may be compared to a controlled RTC 
528 output time under control of the party authorized to be 
"senior" and controlling. In the event of a discrepancy, 
appropriate action maybe taken, including resetting the RTC 
528 of the "junior" controlled participant in the communi- 
cation. 

SPU Encrypt/Decrypt Engine 522 

In the preferred embodiment, SPU encrypt/decrypt engine 
522 provides special purpose hardware (e.g., a hardware 
state machine) for rapidly and efficiently encrypting and/or 
decrypting data. In some implementations, the encrypt/ 
decrypt functions may be performed instead by micropro- 
cessor 520 under software control, but providing special 
purpose encrypt/decrypt hardware engine 522 will, in 
general, provide increased performance. Microprocessor 
520 may, if desired, comprise a combination of processor 
circuitry and dedicated encryption/decryption logic that may 
be integrated together in the same circuitry layout so as to, 
for example, optimally share one or more circuit elements. 

Generally, it is preferable that a computationally efficient 
but highly secure "bulk" encryption/decryption technique 
should be used to protect most of the data and objects 
handled by SPU 500. It is preferable that an extremely 
secure encryption/decryption technique be used as an aspect 
of authenticating the identity of electronic appliances 600 
that are establishing a communication channel and securing 
any transferred permission, method, and administrative 
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information. In the preferred embodiment, the encrypt/ 
decrypt engine 522 includes both a symmetric key 
encryption/decryption circuit (e.g. DES, Skipjack/Clipper, 
IDEA, RC-2, RC-4, etc.) and an antisymmetric 

5 (asymmetric) or Public Key ("PK") encryption/decryption 
circuit The public/private key encryption/decryption circuit 
is used principally as an aspect of secure communications 
between an SPU 500 and VDE administrators, or other 
electronic appliances 600, that is between VDE secure 

10 subsystems. A symmetric encryption/decryption circuit may 
be used for "bulk" encrypting and decrypting most data 
stored in secondary storage 662 of electronic appliance 600 
in which SPU 500 resides. The symmetric key encryption/ 
decryption circuit may also be used for encrypting and 

is decrypting content stored within VDE objects 300. 

DES or public/private key methods may be used for all 
encryption functions. In alternate embodiments, encryption 
and decryption methods other than the DES and public/ 
private key methods could be used for the various encryp- 

20 tion related functions. For instance, other types of symmetric 
encryption/decryption techniques in which the same key is 
used for encryption and decryption could be used in place of 
DES encryption and decryption. The preferred embodiment 
can support a plurality of decryption/encryption techniques 

25 using multiple dedicated circuits within encrypt/decrypt 
engine 522 and/or the processing arrangement within SPU 
500. 

Pattern Matching Engine 524 

Optional pattern matching engine 524 may provide spe- 

30 cial purpose hardware for performing pattern matching 
functions. One of the functions SPU 500 may perform is to 
validate/authenticate VDE objects 300 and other items. 
Validation/authentication often involves comparing long 
data strings to determine whether they compare in a prede- 

35 termined way. In addition, certain forms of usage (such as 
logical and/or physical (contiguous) relatedness of accessed 
elements) may require searching potentially long strings of 
data for certain bit patterns or other significant pattern 
related metrics. Although pattern matching can be per- 

40 formed by SPU microprocessor 520 under software control, 
providing special purpose hardware pattern matching engine 
524 may speed up the pattern matching process. 
Compression/Decompression Engine 546 
An optional compression/decompression engine 546 may 

45 be provided within an SPU 500 to, for example, compress 
and/or decompress content stored in, or released from, VDE 
objects 300. Compression/decompression engine 546 may 
implement one or more compression algorithms using hard- 
ware circuitry to improve the performance of compression/ 

50 decompression operations that would otherwise be per- 
formed by software operating on microprocessor 520, or 
outside SPU 500. Decompression is important in the release 
of data such as video and audio that is usually compressed 
before distribution and whose decompression speed is 

55 important. In some cases, information that is useful for 
usage monitoring purposes (such as record separators or 
other delimiters) is "hidden" under a compression layer that 
must be removed before this information can be detected 
and used inside SPU 500. 

60 Random Number Generator 542 

Optional random number generator 542 may provide 
specialized hardware circuitry for generating random values 
(e.g., from inherently unpredictable physical processes such 
as quantum noise). Such random values are particularly 

65 useful for constructing encryption keys or unique identifiers, 
and for initializing the generation of pseudo-random 
sequences. Random number generator 542 may produce 
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"oversee" performance of the other required methods in a ERROR method 

control process. FIG. 46 shows how the required methods/ DECRYPT method 

processes 402, 404, 406, and 408 of FIG. 45 can be ENCRYPT method 

organized and controlled by a control method 410. Control nccxonv i, a 

method 410 may call, dispatch events, or otherwise invoke 5 Uti> 1KO Y content memod 

the other methods 402, 404, 406, 408 and otherwise super- INFORMATION method 

vise the processing performed in response to an "event." OBSCURE method 

Control methods operate at the level of control sets 906 FINGERPRINT method 

within PERCs 808. They provide structure, logic, and flow EVENT method 

of control between disparate acquired methods 1000. This 10 rrwrawT 

mechanism permits the content provider to create any me 0 

desired chain of processing, and also allows the specific EXTRACT method 

chain of processing to be modified (within permitted limits) EMBED method 

by downstream redistributors. This control structure concept METER method 

provides great flexibility. 15 BUDGET method 

FIG. 47 shows an example of an "aggregate" method 412 nnrTcrcB 

which collects METER method 404, BUDGET method 406 Rbols 1 tK mettK)d 

and BILLING method 408 into an "aggregate" processing BILLING method 

flow. Aggregate method 412 may, for example, combine AUDIT method 

various elements of metering, budgeting and billing into a 20 An ACCESS method may be used to physically access 

single method 1000. Aggregate method 412 may provide content associated with an opened container (the content can 

increased efficiency as a result of processing METER be anywhere). A PANIC method may be used to disable at 

method 404, BUDGET method 406 and BILLING method least a portion of the VDE node if a security violation is 

408 aggregately, but may decrease flexibility because of detected. An ERROR method may be used to handle error 

decreased modularity. 25 conditions. A DECRYPT method is used to decrypt 

Many different methods can be in effect simultaneously. encrypted information. An ENCRYPT method is used to 

FIG. 48 shows an example of preferred embodiment event encrypt information. A DESTROY content method is used to 

processing using multiple METER methods 404 and mul- destroy the ability to access specific content within a con- 

tiple BUDGET methods 1408. Some events may be subject tainer. An INFORMATION method is used to provide public 

to many different required methods operating independently 30 information about the contents of a container. An 

or cumulatively. For example, in the example shown in FIG. OBSCURE method is used to devalue content read from an 

48, meter method 404a may maintain meter trail and meter opened container (e.g., to write the word "SAMPLE" over 

information records that are independent from the meter trail a displayed image). A FINGERPRINT method is used to 

and meter information records maintained by METER mark content to show who has released it from the secure 

method 4046. Similarly, BUDGET method 408a may main- 35 container. An event method is used to convert events into 

tain records independently of those records maintained by different events for response by other methods. 
BUDGET method 408f>. Some events may bypass BILLING 

method 408 while nevertheless being processed by meter Open 

method 404a and BUDGET method 408a. A variety of FIG. 49 is a flowchart of an example of preferred embodi- 

dtfferent variations are possible. 40 mem prQcess s , eps for an examp , e of a „ opEN 

REPRESENTATIVE EXAMPLES OF VDE method 1500. Different OPEN methods provide different 

METHODS detailed steps. However, the OPEN method shown in FIG. 

49 is a representative example of a relatively full-featured 
Although methods 1000 can have virtually unlimited "open" method provided by the preferred embodiment. FIG. 
variety and some may even be user-defined, certain basic 45 49 shows a macroscopic view of the qpen method. FIGS, 
"use" type methods are preferably used in the preferred 49a-49fare together an example of detailed program con- 
embodiment to control most of the more fundamental object trolled steps performed to implement the method shown in 
manipulation and other functions provided by VDE 100. For pjQ 49 

example the foUowmg high ^j™* 0115 would 5Q The OPEN method process starts with an "open event." 

e provi e or o jec manipu a ion. Qpen event ma y ^ e g^^i^ Dv a us er application, an 

OPEN method operating system intercept or various other mechanisms for 

READ method capturing or intercepting control. For example, a user appli- 

WRITE method q cation may issue a request for access to a particular content 

CLOSE method. 55 stored within the VDE container. As another example, 

An OPEN method is used to control opening a container another method may issue a command, 

so its contents may be accessed. A READ method is used to In the example shown, the open event is processed by a 

control the access to contents in a container. A WRITE control method 1502. Control method 1502 may call other 

method is used to control the insertion of contents into a methods to process the event. For example, control method 

container. A CLOSE method is used to close a container that ^ 1502 may call an EVENT method 1504, a METER method 

has been opened. " 1506, a BILLING method 1508, and a BUDGET method 

Subsidiary methods are provided to perform some of the 1510. Not all OPEN control methods necessarily call of 

steps required by the OPEN, READ, WRITE and/or CLOSE these additional methods, but the OPEN method 1500 

methods. Such subsidiary methods may include the follow- shown in FIG. 49 is a representative example. 

ln 8 : 65 Control method 1502 passes a description of the open 

ACCESS method event to EVENT method 1504. EVENT method 1504 may 

PANIC method determine, for example, whether the open event is permitted 
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train's) and audit record(s) for storage into the secured is to be metered based upon number of pages read, then user 
database (blocks 2554, 2556). AUDIT method 2520 may request "events" for reading less than a page of ^formation 
then retrieve the audit requests) from the secure database may be ignored. In another example, if a system event 
I ' " .. „ 'L m \: hn j tn n , n ,„ nrncecc the represents a request to read a certain number of bytes, and 
and determine the response mejod to. ™ to ^ J EVENT method 1000 is part of a control process 

request (blocks 2558 2560). AUDIT method 2520 may at 5 para graphs, then the EVENT method may 

this stage send event's) contained in the request record(s) to JS ^ ^ ^ * ^ many paragraphs 

the appropriate response method and generate response ^ ^ bytes requested . This pr0C ess may 

record(s) and requests based on this method (blocks 2562, m . tQ , latomic e i ements » to be discussed in 

2564). The processing block 2562 may involve a commu- mQre detafl 1 & 1 £ r- 

nication to the outside world. id EVENT method 402 filters out events that are not sig- 

For example, AUDIT method 2520 at this point could call n jfi ca nt with regard to the specific control method involved, 
an external process to perform, for example, an electronic EVENT method 402 may pass on qualified events to a 
funds transfer against the user's bank account or some other METER process 1404, which meters or discards the event 
bank account. The AUDIT administrative response can, if based on its own particular criteria, 
desired, call an external process that interfaces VDE to one 15 i n addition, the preferred embodiment provides an opti- 
or more existing computer systems. The external process mization called "precheck." EVENT method/process 402 
could be. passed the user's account number, PIN, dollar may perform this "precheck" based on metering, billing and 
amount or any other information configured in, or associ- budget information to determine whether processing based 
ated with the VDE audit trail being processed. The external on an event will be allowed. Suppose, for example, that the 
process can communicate with non-VDE hosts and use the 20 user has akeady exceeded her budget with respect to access- 
information passed to it as part of these communications. ing certain information content so that no further access is 
For example, the external process could generate automated permitted. Although BUDGET method 408 could make this 
clearinghouse (ACH) records in a file for submittal to a determination, records and processes performed by BUD- 
bank This mechanism would provide the ability to auto- GET method 404 and/or BILLING method 406 might have 
matically credit or debit a bank account in any financial 25 to be "undone" to, for example, prevent the user from being 
institution. The same mechanism could be used to commu- charged for an access that was actually denied. It may be 
nicate with the existing credit card (e.g. VISA) network by more efficient to perform a "precheck" within EVEN! 
submitting VDE based charges against the charge account. method 402 so that fewer transactions have to be undone. 

Once the appropriate Audit response re«,rd(s) have been METER method 404 may store an audit record in a meter 
generated, AUDIT method 2520 may write an Audit admin- 30 "trail" UDE 1200, for example, and may also record infor- 
istrative record(s) into an administrative object for commu- mation related to the event m a meter UDE 1200. tor 
nication back to the VDE user node that generated the Audit example, METER method 404 may increment or decrement 
■ request (blocks 2566, 2568). The AUDIT method 2520 may a "meter" value within a meter UDE 1200 each time content 
then save communications and response processing audit is accessed. The two different data structures (meter UDE 
information in appropriate audit trail(s) (blocks 2570, 2572) 35 and meter trail UDE) may be maintained to permit record 
before terminating (at terminate point 2574). keeping for reporting purposes to be maintained separately 

FIG 44c shows an example of steps that may be per- from record keeping for internal operation puiposes, tor 
formed by the AUDIT method 2520 back at the VDE user example. . . AaA . 

node upon receipt of the administrative object generated and Once the event is metered by METER method 404 the 
sent by FIG 44b block 2566. The steps 2580-2599 shown 40 metered event may be processed by a BILLING method 406. 
in FIG 44c are similar to the steps shown in FIG, 43d for the BILLING method 406 determines how much budget is 
REGISTER method 2400 in the "administrative reply" consumed by the event, and keeps records that are useful for 
mode Briefly, these steps involve receiving and extracting reconciliation of meters and budgets. Thus, for example, 
appropriate response records from the administrative object BILLING method 406 may read budget information from a 
(block 2584), and then processing the received information 45 budget UDE, record billing information in a billing UDE, 
appropriately to update secure database records and perform and write one or more audit records in a billing trail UDE. 
any other necessary actions (blocks 2595, 2596). While some billing trail information may duplicate meter 

and/or budget trail information, the billing trail information 
Examples of Event-Driven Content-Based Methods is useful, for example, to allow a content creator 102 to 

50 expect a payment of a certain size, and serve as a reconcili- 
VDE methods 1000 are designed to provide a very ^ *^ ^ meter ^ information sent to 

flexible and highly modular approach to secure processing. ^ m ^ t ^ information ^ t0> for 

A complete VDE process to service a < use event may ^ nt faudget provi(Jer 

typically be constructed as a combination of methods 1000. BILLING method 406 may then pass tb©event on to a 
As one example, the typical process for reading content or ^ BUDGET method m BUDGET method 408 sets limits 
other information from an object 300 may involve the ^ transactkmal mfonnation associated with those 

following methods: limi(s For examp i e; BUDGET method 408 may store bud- 

an EVENT method get information in a budget UDE, and may store an audit 

a METER method record in a budget trail UDE. BUDGET method 408 may 

a BILLING method 60 result in a "budget remaining" field in a budget UDE being 

a BUDGET method. decremented by an amount specified by BILLING method 

FIG. 45 is an example of a sequential series of methods 406. 
performed by VDE 100 in response to an event. Id this The information content may be released, or other action 
example, when an event occurs, an EVENT method 402 may taken, once the various methods 402, 404, 406, 408 have 
"qualify" the event to determine whether it is significant or 65 processed the event. ... 
not. Not all events are significant. For example, if the As mentioned above, PERCs 808 in the preferred embodi- 
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EVENT method 1000 in a control process dictates that usage ment may be provided with control methods mat in enect 
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ART-UNIT: 232 .... 
PRIMARY -EXAMINER: Williams, Jr.; Archie E. 
ASSISTANT -EXAMINER: Mohamed; Ayni 
ATTY-AGENT-FIRM: Ptak; LaValle D. 

ABSTRACT : 

A computer based function control system is particularly suited for use 
as a software security device on the highly popular personal computers or 
a micro-processor driven function. The system includes an encrypted 
security message uniquely encoded at predetermined locations within the 
software or function program. The software or function program includes 
pre-set errors in it to cause failure of execution of the function or 
software program unless the errors are nulled during operation of the 
function or software program. A separate electronic key for retrieving, 
recognizing, decrypting, encrypting, and producing the null signals is 
connected to the communications port of the computer from which the key 
draws its power as well as the security message passed from the computer 
to the key and back to the computer. There is interchange of moving 
target and validation information between the computer software and the 
electronic key. This information is transferred via the security message 
under the cover of encryption and is monitored by the key and the 
software to insure that operation' of the program can be effected only by 
authorized users of the function or software program (that is those 
having the key uniquely associated with that program) . 
19 Claims, 5 Drawing figures 
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means to place said telephone call when said detecting 
means detects the presence or absence of said backup 
AC power. 

4. The monitoring apparatus of claim 1 wherein said 
communication means includes means for transmitting a 5 
user-recorded voice message. 

5. The monitoring apparatus of claim 3 further compris- 
ing: 

a mass storage device associated with said computer; 

data interface means connected to said control means and 10 
said computer for connecting the monitoring apparatus 
to said computer to transfer data between the monitor- 
ing apparatus and said mass storage device associated 
with said computer in response to signals received from 
said control means; and 

data conversion means connected to said control means 
and said communication means for receiving digital 
data defining a user-recorded voice message and gen- 
erating an output to said communication means com- 2 q 
patible with said telephone network, to generate said 
voice message on said telephone network; 

wherein said digital data defining said user recorded voice 
message is stored on said mass storage device within 
the computer, and said control means retrieves said zs 
digital data and transmits said data to the data conver- 
sion means whereby said voice message is generated 
and transmitted. 

6. The monitoring apparatus of claim 1 further comprising 
recording means connected to the communication means 30 
and the control means for recording a response from the 
person receiving the telephone call. 

7. The monitoring apparatus of claim 5 further compris- 
ing: 

a mass storage device associated with said computer, 35 

data interface means connected to said control means and 
said computer for connecting the monitoring apparatus 
to said computer to permit transfer of data between the 
monitoring apparatus and said mass storage device 
associated with said computer in response to signals 40 
received from said control means; 

data conversion means connected to said control means 
and said communication means for receiving a voice 
message from said communication means, generating a 
digital output representative of said voice message, and 
transmitting said digital output to said control means; 

wherein said, data interface means transfers said digital 
output representing said voice message to said com- 
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puter where said digital data is stored in said mass 
storage device. 

8. A method of monitoring an operation of an external AC 
power supply system connected to a computer, comprising 
the steps of: 

monitoring power output of said power supply to the 
computer; 

detecting a change in the presence or absence of said 
power output; 

generating an indicating signal when said change in the 
presence or absence of said power output is detected; 
and 

transmitting said indicating signal to an automatic tele- 
phone communications means for selectively establish- 
ing a connection between said automatic telephone 
communications means and a telephone network, and 
placing a telephone call to a person in a location away 
from the computer when said change in the presence or 
absence of said power outant is detected. 

9. The method of claim 8 comprising the further steps of: 
providing a selectively operable source of backup AC 

power, and ! ^" 
providing' switching means for switching the power sup- 
ply "of ( . the computer from said external AC power 
suppiy' jo said backup AC source in response to said 
generated indicating signal when said signal indicates 
that>aid external AC power is absent. 

10. The method of claim 8 comprising the further steps of: 
selectively ^obtaining digital data from a mass storage 

device ^sociated with said computer, said digital data 
rer^senting^user-recorded voice message; 
converting the digital data to a signal format compatible 
with said telephone network to form said voice mes- 
sage; and ,.• • 

transmitting said voice message signal format in said 
telephone call: 

11. The method of claim 8 comprising the further steps of: 
receiving avoice response signal from the recipient of 

said telephone call; 

converting the voice response signal into a digital data 
format corapauble with a mass storage device associ- 
ated' with said computer and representing said voice 
response signal ; and 

storing said digital data in said mass storage device for 
later rerxieval'and review. 
' ^2t1f'*tj'' ! ■"' 
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i ' protection. Electronic appliances such as computers employed in 

accordance with the present invention help to ensure that information is 
accessed and used only in 'authorized ways, and maintain the integrity, 
availability, and/or confidentiality, of the information. Secure^ 
subsystems used with such 1 electronic appliances provide a distributed 
virtual distribution environment • (VDE) that may enforce ^secure chain of 
handling and control, for example,, to control and/or meter or otherwise 
monitor use of electronically stored or disseminated information. Such a 
virtual distribution environment ■ may be used to protect rights of various 
participants in electronic commerce and other electronic or 
electronic-facilitated transactions. Secure distributed and other 
operating system environments and architectures, employing, for example, 
secure semiconductor processing arrangements that may establish secure, 
protected environments at each node .These techniques may be used to 
support an end-to-end electronic information distribution capability that 
may be used, for example, '"utilising the "electronic highway." 
220 Claims, 177 Drawing fic 
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UNIT SERIAL CABLE NOT PROPERLY CON- 
NECTED— When this error message occurs, the serial 
cable between the Unit and the Work Station is properly 
connected into the serial port. 
UNIT NOT RESPONDING— The Unit appears to be 
properly connected, but the Unit is not responding to 
requests sent by the Work Station. 
If any of the above errors occur, the related error message 
will appear for approximately 60 seconds; except in the case 
of the SCHEDULED REBOOT error message, which will 
appear until a key is pressed. If the Fl Key is pressed during 
this period, TRAKLOAD will re-attempt processing. This* 
could correct a situation where, for example, the Unit's 
power ON/OFF switch had just been turned on. When 60 
seconds have passed or another key is pressed, batch file 
processing will continue without the Job Status Monitoring 
system. Any Job Status Monitoring programs included in the 
batch file such as TRAKBEG, TRAKCALL, etc. will simply 
issue the message 'TRAKBEG needs to be run first" and 
then abort 

If no errors are detected 952, processing continues at 
block 953 where the current Job Status alert dialing string(s) 
entered during Setup processing 6 are sent to the Unit Then, 
a text file named "TRAKLOG" is updated 954 by the 
TRAKLOAD program in the default directory used when 
the TRAKLOAD program is initialed. If this file does not 
exist, it will be created by the TRAKLOAD program. 
Otherwise, an entry will be appended to the log indicating 
when TRAKLOAD was initiated and any errors that may 
have precluded Job Status Monitoring processing from 30 
occurring. 

TRAKBEG 955 is the second batch file program executed 
to initiate a Job Status Monitoring batch file. TRAKBEG 
installs a small memory resident TSR program (Le. less than 
2K in size) that must be loaded immediately after TRAK- 
LOAD. TRAKBEG processing will terminate if either 
TRAKLOAD has not been run or TRAKBEG was previ- 
ously loaded into memory 956. TRAKBEG is automatically 
removed from memory when the TRAKEND program is 
invoked at the end of a Job Status Monitoring session. 
TRAKBEG monitors all disk activity during a Job Status 
Monitoring session. Optionally, a parameter can be given to 
TRAKBEG on the program execution command line to set 
the maximum number of seconds that may occur between 
successive disk accesses before a job step is considered to 45 
have failed 957. The default number of seconds is currently 
set to 300 seconds. The minimum number of seconds that 
may be specified is currently set to no more than 999 
seconds. If the number specified exceeds this limit or is not 
a valid numeric expression, TRAKBEG processing is 
aborted 957. Otherwise, the program notifies the Unit that a 
job status monitoring session is about to begin 958. When 
this message is received by the Unit, the Unit expects 
periodic (i.e. no more than once every five seconds) com- 
munications, from the Work Station each time a disk access 
occurs during the 5 second interval of reporting. If such 
constant communication cease for longer than the specified 
maximum number of seconds, the Unit will initiate job step 
failure calls. As the final step in TRAKBEG processing, TSR 
is loaded into memory 959 whose function is to monitor disk 60 
accesses occurring within the Work Station, as discussed 
above. 

During a monitoring session, the TRAKSTEP program 
960 may be inserted into the Job Status Monitoring batch file 
to assign a numeric ID to the next job(s) being executed. 
TRAKSTEP must always have a parameter indicating a 
NUMERIC step number. This step number cannot exceed 2 
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numeric digits. If the step number exceeds two digits, only 
the left most two digits will be used as the step number. If 
a alert or failure call is placed during Job Status Monitoring, 
step numbering helps the person called determine how far all 
jobs have progressed. The Job Status Monitoring system 
does not require that the TRAKSTEP programs be used. The 
default step assumed by the system when the T RAKSTEP 
feature is not used is step 1. When TRAKSTEP is executed, 
the job number specified on the command line is sent to Unit 
961 where it is stored in nonvolatile ram and used for any 
subsequent alert calls. 

The next program used for Job Status Monitoring is 
TRAKCALL 962. Whenever the TRAKCALL program is 
invoked the TRAKCALL program tells the Unit to place 
alert calls to everyone contained in the Job status call table 
indicating the last step number stored in non-volatile RAM 
was successfully completed 963. 

The final program in a Job Status Monitoring session is 
TRAKEND 964. This program should always be run as the 
last step in a Job Status Monitoring session. If the Job Status 
monitoring program, is not present in memory 965, TRAK- 
END has Ph'otinng"to 'do and processing is terminated. Oth- 
erwise, TRA«I3r^4nforihs the Unit that the Job Status 
Monitoring 'session has ended 966 and no further commu- 
nications should be expected from the Work Station. Finally, 
TRAKEND terminates removing the TRAKBEG TSR from 
memory : 967 J . iCT "; p - 1 v 
We claim:* 35 *" -■' 

1. A momtoring apparatus for monitoring an operation of 
a power supply'system connected to a computer, compris- 
ing: '■ '-"^ • 
first connaitihg "means for connecting an external AC 

power source .to the monitoring apparatus; 
power output means connected to said first connecting 
means for supplying said AC power from the monitor- 
ing apparatus "to said computer, 
detecting:means connected to said first connecting means 
for detecting the presence or absence of said AC power 
and' generating an mdicating signal in response; 
commlttMcatiorTmeans connected to said detecting means 
for,se|'ectiyeiy connecting the monitoring apparatus to 
a|elephpne^eWqrk and placing a telephone call 
'''penm1&Tl(Kaiiba away ftom the system; and •' 
controlineanstconnected to said detecting means and said 
cornmunication means for receiving said indicating 
signal- and activating said cornmunication means to 
placed said" telephone call when said detecting means 
detects the presence or absence of said AC power. 

2. The monitoring apparatus of claim 1 further compris- 
ing: *. : -' 7 • 

second connecting means for selectively connecting a 
source ;of, backup AC power to said power output 
means; and. 

switching means connected to said first and second con- 
necting means," said detecting means, and said power 
output meani for switching the supply of said power 
ou»uti#eins from said external AC power source to 
said' backup. AC power source in response to said 
indjcBiingvsignal from the detecting means when said 
signal indicates, that said external AC power is absent 

3. Th^rnoru^OTihg apparatus of claim 2 further comprising 
second detecting ; means connected to said second connecting 
means'and said craitrol means for detecting the presence or 
absence <pf said backup AC power and generating a second 
indicating signal in response; 

wherein/saldvcontrol means further receives said second 
indicating, signal and activate said communication 
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sign (#) is generated arid sent to the paging service 715, the 
telephone is placed back oh hook 714, processing for this 
routine ends, and ANSWERED is returned to the calling 
program. If the Fail Safe : alert call is being placed as a result 
of a either- a total power failure 708 Or a work station failure 
710, the call must be as a rcsulftof a loud sound detected. In 
this case a touch tone^is-geherated representing the number 
3, if the loud sound is>identifieda>'ason-alert, or .4, if the 
loud sound epuld not be specifically identified. Then, the 
applicable tone is sent to the paging service 713, a pound 
sign (#) is generated and sent to the paging service 715 and 
the telephone is placed back on hook 714. Then, processing 
for this routine ends, and ANSWERED is returned to the 
calling program. 

If the call is not being placed as a result of a job tracking 
monitoring session 707A, processing continues at block 
712B. If the call is as a result of a job step ending 712B, the 
touch tone sequence "*0*" is transmitted to the paging 
service 712C. If the call is as] a result of a job step failing 

712Pif the )$gkm?m^ffl^m®&&& * 
pagu^tservice TJ^vtf toejCaU-is iasm rjesult of _a mam, power 
facing 7^, - 'i^^^tqqg^i<g^^g§g > ';i8 transmitted 
to, fcjBaging 1 serOTcejtl26:;K the; call.jsjaj a ; rejs v ult^f ajWork 
Siajiqnkah^ 

transimltedUotth^^ j&te .callciscasM 

iesultisofa »uW<)dcnStattoicfaaure^l2Jin>the ttouchntone 
^eqiiehcetn%99^MtransMtte& pagingiservice, 712K. 
NexUiDfH^stdiiestcorrespoiidm ftp, jobxsteppmumber 
;activejwhen'-.theiiCaUiwas ,placed;tO/ s thei paging ^Service, are 
generated sjndittarismu^tothet'pagingiservice 7i2I2.'I£;no ''' 
^obistep'bas-b^ispecffiedifb? 

•the defaulticoaeKL'e.- , »4^^^^^tinsIIlitted?IfiaIlrjbte 
step^iartdcme by the time the call is placed, the code "*0*" 
will .Be trananittecbCTig places as v.w.t <■>;> ,: r 
jy'Aterbe ne^sary'job status tf^kr^'paging cpdes'have j S 
1t^'tikainfii^^'^^i|!iig Service'*! pound sign (#)' is. 
gcnera^'an3 e sent~to the paging'-sc^ce'715i l the telephone 
is placed back on r^k-7I4, i pioce4si , ng for tMs routine'ends, 
a^ANSWEREBIisretu^^ . 
■i4^.|pjgi^^&e^^io^i<iM%te ! is'de^eti-m'tte 40 
.<ae^'*ForHD'ial!We'W 

f beginning^ at 51 b'feck'- tftfe' 'TW&vsur^routihe resets' the ' call 
progtess**!^^^ : 
WW&tf&^SSiMi^Sm^^ GP-^Flag ,c 

Jr-fiiBt """" 



20 



25 



set 730, the sub^roujine will end and return an answered 
code to the calling program. If the Temporary flag is set 730, 
then^the Geij^al) Progress sub-routine is invoked (see FIG. 
5AN cprineetb| J^pi- which returns the status of the call, 
proOBsfl^^^^bv^ : -iends'' ?nd -returns to the calling 
prograin.;"If^e''i^^ the routine ends 

and :#$Sjyp^ the calling program. 

. If 'there^are. 'more idigitS tp be processed 725, and the 
current dipt' is not -an at-sign -@' 726, then this subroutine 
loops back to ;723 tio dial the next digit. However, if it is an 
at-sign (meariing the dialing digits necessary to complete the 
call have ibeen #aied), then the Temporary flag is cleared 
727 and me Get Call-Progress sub-routine 728 is invoked 
(see FIG. 5 AN connector BJ). If the call is answered 729, 
this sub-routine ioops back to block 724 to process any 
remaining dialing digits, which represents the desired alert 
code, an automated, switchboard phone extension, etc. that 
user wants to have delivered^after the call is answered. In 
cases where, a call is made- to an automated switch board 
^t^t^^^^t^eeeiM^ voice messages are 
"aiuMunc^'atiS t&ith>tShes m 
eaeh* ; leyS-'s;<pr^fee^eTd M 

M^idi^MIS^Ml^&^^te^ii pause' per comma enter 
W<S&S)fb&b&&&6$a& pari^of-uie'dialing string causing 

'^WmS^^^if^C^m f?88ar%essage 
systemtt&deliyWiQiie alej^messa^ePWben-mere^are no more 
f digns'relasi1rimgi725j tBesub-rbudHe^will'efldandretu^ 
'aMwe^fa^fefthe^(^lmg>prog^ani. '(Noterat this point 
the' i teri^b^ifldgewMlh^ve^bettf set to off in block '-727;) 

'^^^m5^m^6^m&^. Begumiiig 
l^t^^X^m^StfiR^^^i stand alone 'prwbessijig 
caparMieSWmon^orthe status-of a Fail Safe calls a^r the 
phone mmiD&^^n^dffled. •■ '■■ • - >' 

"rasm^" 1 • 



The first soi 

2issas.ia.aa- 



follows, 
norrriallythe 

first pione rm^^^rpu^^waits up'to ten seconds^ for this 
ii&'ni^ a A < ^ii&a^p^-Af'toaiid (between 'O'.l-' and 
m'titfti^WMrm^ffid clicks and static' are 
'ignor&<if'r®^ 

.u^fe^iV^^^i^ro^.! g£» irthis •initial 
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progr^ 'HoweveK' if the ; 26's timer' 'reaches 5 'seconds 
T wjthouf bltel&rigXcbn^ of 
'caki&SifrW^ ityi it is^assy^'a dikl tone w'as hot 
.'d^c^^p^ii^lii^^fdie''^^ >nc^' Wd' FAiL is 
retum^jto uie c^lj'ng^p^ ..' ' , ( " '.'/■'[ " . , „7 55 

The process d£ dialing ia rAone, number is detailed in the 
Dial ^Pbone NurnDerVub : routine on FIG: 5AM beginning at 
block 722. This : sub-routine beguis Jby setting a Temporary 
flag 722A wHicH isiffied^to. indicate when 'a phone number 
v hapof y;et. ^^0^^^%^^^?^ 60 

r rrwtine^_r" 
;sarngjes > 
.porating- 
.routine^tests^ 
-t^rej^^r^rTOre-^igits^ 



tested aga^vset-sr^mc h^u. Tbere are two counters and 




Ki-ma^^e^W&'betmffa 0.2 and 03 seconds (for 
secondGbttsy^tobi^ be narrowed 




j^^ig^x^^S^^I^B^, shpuld sound present not 
^i^^^^^f^^^^'JVmt isjvconsiderwl 
•dete^.and'Mijusyf^ 

- i.;;*If TheM^A^iriteg reMhes^yalueipf, ten^ dien'-theicall 
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system ^Requests,: arerStransnrirttedl'^t^ J^W^fc"':'^. 

^f.ir.styideh.t'i'fi'e^ anij\a '.'second; j.i'den^^ 

;, pr6'vided ; -by^.t-he.^^^ the^reque'sterji'inpd^ • 

.p'ii^s^^fcijproy^^^^^ of autKentica^i\on ; ^ 



'the entries riii'fi.fcs:. io'calK 
known Jt!eti be I". autftent isc'f ". . Cv?. ,', "'u,-' 



'Otherwise,; .-.the ' server. ) ;nqdej s ; iaut'herit ,-.j,;if. v.ili 

authentication credentials', from', the requester.''? :node ; sto..>Su;theHticatei.the*.t'../rij. 
request ^message : ; the.. ! pri'Vcipal.^;idehtif ier of .!".tne...f "eguesterV.arid' , 'the' 1 ; 1 ' :'''-<Jk( i-- 
received 'credentials are stored;, in a' .local rca'che .'by.v. the-.V'S.eryer... node^s.- .„ ' ...yj i.\ 
authentication- agent .'.-'/The 'seryer..prdcess also .stores : a. record,, in -its ... v ^ s . v ; , 
local'; cache indicating! that ' request^'messages^ f rom.. the .specif ied requester: ', 
are known to- be ''authentic.,,: thereby expediting , the process of V , ,•. j.j.h •„-• 
authenticating .r§.cei,Yed;.regues.£s.'. .' . ' ;,■.<:■■ •■ ..,r.'- ■'.'•' ■ ■■■{.:-,■ ■/ •:'«.'••. >/ •:■.■ ■ 
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symbol; then, 



0,e xaU' will-He considered the person mfa- 

in&the^eriisin.eff^^W 16 If to dialing string 
^^ISS^ answered, but 
contfins a "'.''Symbol, the can s w» wated as 



^figuration s ».f^:^Vne4 ON or OFErespec- 
configuration^ession is ? c ^™ u . thc Unit to discern 

being monitored has ; «J alert calls using the 

bytteUmt-TteUmtpaces^re^ed^ ^ in ^ 

! 'If the ^ command reguesi ""^Sjaig iigf-catt-is-placed 




